Traditional encryption on the Internet, such as that provided by Internet Protocol Security (IPsec), a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session and which also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session, is intended for providing users with security for sensitive data and applications. IPsec was designed for authenticating and encrypting IP packets between two devices e.g. routers, in a point-to-point fashion by establishing an encryption tunnel between those routers. IPsec was not designed for network level encryption and security between a multitude of routers communicating together and between one another simultaneously without establishing a full mesh of IPSec tunnels between routers. Creating full meshes of IPSec tunnels for inter-nodal encrypted traffic is cumbersome and inefficiently uses network and router precious resources. IPSec and other prior art solutions also do not provide encryption and authentication security for IP/MPLS control plane traffic (such as OSPF, BGP, RIP, RSVP-TE, LDP, and similar protocols) used in an IP/MPLS network to establish routing and signaling between nodes.
Commonly used encryption standards include: DES (Data Encryption Algorithm); 3DES (Triple Data Encryption Algorithm); Blowfish (Blowfish symmetric key block cipher standard); Twofish (Twofish symmetric key block cipher standard); Serpent (Serpent symmetric key block cipher standard); SNOW 3G (SNOW stream cipher standard); Kasumi-F8 (Kasumi-F8 block cipher); AES-128 (Advanced Encryption Standard 128 bit key); AES-192 (Advanced Encryption Standard 192 bit key); and AES-256) Advanced Encryption Standard 256 bit key).
The US Congress and Senate are requiring utility companies to expand investment in cyber-security to protect the evolving “Smart Grid”. As well, North American Electric Reliability Corporation (NERC) Standards defined national standards for security through NERC-CIP (NERC Critical Infrastructure Protection) requirements, of which encryption/authentication is an important aspect. Likewise, similar requirements are appearing worldwide for corresponding applications, for example, specifications and requirements through the IEC (International Electrotechnical Commission).
It would be useful to have an efficient method which could encrypt all routable IP packets traversing the network including user and control plane traffic using a single method for both types of traffic, where IP routing is maintained for individual traffic flows as would be expected before encryption and authentication was applied.